TOR on Academic networks (problem)
Joseph Lorenzo Hall
joehall at gmail.com
Tue May 16 15:13:11 UTC 2006
I can respond to this in some detail from Berkeley's perspective later
On 5/16/06, Michael Holstein <michael.holstein at csuohio.edu> wrote:
> I'm sure this has happened to others, but here goes on my problem.
> Many academic networks have a variety of online journals they subscribe
> to (like thousands of them) .. most allow campus-wide use restricted
> only by IP address, usually the whole /16 or greater.
> This of course presents a problem when you have a TOR router in that
> /16. Sometimes the admin at the journals will understand that TOR is
> just one of those 65k+ IP addresses and block that, and sometimes they
> get into a snit and say they'll block the whole /16.
> Since we can't put thousands of lines in the exit policy without causing
> a cascading problem, what about null-routing them .. either by putting
> entries in /etc/hosts that will be denied by the exit policy (thus
> causing the client to pick another exit -- but not preventing access
> directly by IP address), or the more secure, but more problematic,
> blocking by changing the kernel routing tables to send those networks
> into a blackhole on the TOR router.
> The first approach causes a minimal problem performance-wise since the
> client will choose a new path. The second will cause timeouts and
> significantly impact performance.
> Problem is, if these sort of issues persist, most of our institutional
> support will evaporate -- so I'm going to have to do something.
> I really don't want to hear about censorship, et.al. because I already
> know that's what it is, and don't have a problem admitting it. What I
> want is viable solutions to the problem.
> Any suggestions?
> Michael Holstein CISSP GCIA
> Cleveland State University
Joseph Lorenzo Hall
PhD Student, UC Berkeley, School of Information
More information about the tor-talk